How Much Network Security Is Enough?

How much network security does a small or midsize business need? To find out, IT managers must measure their companies' tolerance for risk and make a business case for pursuing a network security system that fits

Being asked a computer science question, or more particularly a networking-based question, caused me to break out the hanky I reserve for those times when I find out my backup copy was an incremental instead of a full. I thought about the whistles of the old modems of yesteryear, the whirl of 8mm backup tapes, the 2,600-MHz tone of a phone switch, the capacitor start fans in a large router or switch. (I have goosebumps...)

So with the sage-like wisdom of my 18 years in information technology, I said, "Go ask your mom."

Truthfully, if data had a sound, I bet it would sound more like "ka-ching" -- the sound of a cash register draining an IT budget. This is certainly true in network security.

Since I can't make a living fishing, network security is my bread and butter. I have shown the value of security over and over in presentations, videos, radio, Morse code, you name it. And it's easy! I can scare eight lives out of a cat with hacking toolsand statistics. Security is badly needed and misunderstood in our industry. After a presentation, I always fear that a street-smart C-level executive will come up and ask me to make a business casefor what I've presented without the scare tactics. I would turn into Barney Fifetrying to buy a car right on the spot.

So now that I've exposed a deep personal fear, let's look at how we can justify spending cash on network security. First, understand that your data has value. Not just a little, but a whole lot. In fact, $67.2 billion is lost annually on computer-related crimes, according to the FBI. As a point of reference, in today's money, it cost about $135 billion for the entire Apollo space program. With that kind of money at stake, folks are going to work very hard to get access to your data.

Security is needed, but we can't assume we have an unlimited security budget. If that were true, we would have sales reps stalking us like the paparazzi hound movie stars. To determine how much we should spend on security, we need to look at two factors: risk aversion and risk tolerance.

Before we get into this, understand that risk aversion and risk tolerance are based on data points you fill out in a 100-question InfoSec management survey,scored 0 through 5, with 0 being not applicable and 5 being grave effects. The benchmark most companies test this against is ISO 17799,"The Code of Practice for Information Security Management."

Don't rush through this survey or pass it down to someone else in your organization. It should be completed by a C-level executive. This not only gives it immediate buy in, but also helps the C-level set the vision and understand the process. IT folks should work with the results of this survey and not the vision of the survey.

Risk aversion is really something we learned from our grandmothers: "Better to be safe than sorry." This is, of course, very subjective because one network admin's risk is another one's adventure. I did some work at a large U.S. government facility, and they were under continuous attack. They didn't give it a second thought. The alarms would go off with warning of a hacker from Asia, and they'd look me straight in the face and say, "Are you ready for lunch?"

Risk aversion is something that should be based on your response to the InfoSec survey. This is broken down into two scores: an InfoSec management quotient (IM) and an InfoSec operational quotient (IO).

The IM score is really the true pulse of your company's aversion to risk. This part of the survey is for the senior IT manager or CIO to complete. It has questions related to IT policy, personnel, and data.

The IO score is all other departments' view of IT data services. It gauges what they view as critical and important to their contribution to the overall accomplishment of the company's goals. This is for all of your different departments to complete. The rule of thumb is if they have a department head and a budget, they get a survey.

Now, with these two data points compiled, you can compute your risk aversion quotient. It will look something like this:

IM quotient + IO quotient
____________________ = risk aversion (RA)

2

Now with some real data, we can look at our RA with just some quick calculations:

IM = 74 and IO = 67

74+67/2=71 or 71% risk-averse

Like all good math, that is never the end of the story; it keeps on going. Now we need to collate the RA number (71%) to a risk tolerance chart.

Risk Aversion Quotient

1-20

21-40

41-60

61-80

81-100

Risk Tolerance

High

Medium high

Medium

Medium low

Low

In our example, 71% is medium low, so our company has a real need for a solid security system because our risk aversion and risk tolerance are medium low, as determined by all department heads and C-level execs.

Now we have the data points we need to look at truly justifying a security solution. All too many times I have seen companies with the best intentions purchase more security than they actually need.

An RA of 71% is out of the realm of a basic security system (all-in-one device and few add-ins), but most likely not into the realm of a comprehensive solution either (redundant everything, monitoring agreements, dedicated security staff). We're looking at a moderate solution here to solve the problem of security and meet the budget goals of our organization.

Just like with anything else, there comes a point where you actually have a diminishing return on the equipment you purchase if you overbuy. Using RA and RT as tools, you can easily determine the security model you fit into based on solid data and not conjecture.

Just remember: More pieces and parts don't make your network more secure if you don't have the staff to maintain and manage the gear. Actually, it can open more holes in the network.

Jimmy Ray Purser is a networking and networking security expert at Cisco Systems.